Data protection claims and problems with jurisdiction

FOCUS: A case involving internet giant Google which is set to be ruled on by the European Union's highest court could help define issues relating to jurisdiction and the enforcement of data protection laws in the EU.

Data protection authorities across the European Union have recently encountered problems in enforcing national data protection rules against major internet companies based abroad. Watchdogs in Spain, Germany and the Netherlands have each struggled to enforce local privacy legislation against Google, Facebook and Netflix respectively.

The Court of Justice of the EU (CJEU) is set to rule in a case involving Google and the judgment could offer some clarity about which local data protection rules will apply to multinational internet service providers that process personal data abroad but have a business presence in a local jurisdiction. A date for the judgment to be handed down has not yet been announced,

The opinion of the Advocate General (AG) on this case, which is traditionally given to the CJEU before it makes a ruling, seemingly contradicted findings from a previous German case in which a court was asked to deal with a German privacy watchdog's claim to have jurisdiction over Facebook's operations in Germany.

Ultimately, it may take a change to the data protection law regime in the EU, which is currently subject to reform, for it to become easier for regulators to enforce the law against companies based in other jurisdictions.

Google v the Spanish data protection authority

In Spain, a court was faced with the question of whether the Spanish data protection authority can force Google to remove some results listed in its search rankings. The claimant complained that links to old newspaper articles appear when his name is searched on the Google search engine, and argued that this infringed his privacy rights and that the links should be removed from Google's results page.

Spain's data protection authority upheld this complaint against Google after the company had refused to remove the material. Google has appealed the decision to the Audiencia Nacional, which is the relevant Spanish court, arguing that Google is based in California, US and is not subject to Spain's data protection rules. The court has asked for the CJEU's help in understanding whether Spanish data protection laws can be applied to Google's business.

Google has argued that, because its search engine business is based in the US, the EU's Data Protection Directive should not be applied to it and that, therefore, it cannot be compelled to remove the relevant links. The Directive provides individuals with rights to obtain the "rectification, erasure or blocking of personal data" which are "incomplete or inaccurate" by organisations responsible for, and in control of, their personal data – "data controllers".

The fact Google has a Spanish subsidiary is irrelevant because that business is only responsible for selling advertising on Google and plays no part in the operation of the search engine itself, Google has argued.

Jääskinen said at the time that search engines' activities such as locating, indexing, storing and making available of information published by others qualify them as data processors and not data controllers. Data processors have no direct obligations under the current EU data protection regime. Only if search engines processed personal data in a manner inconsistent with the instructions or requests of publishers could they be classed as data controllers, the AG said.

However, before being able to reach this conclusion, Jääskinen did say that where a parent search engine based outside of the EU is a data controller, an EU subsidiary must also be considered to be a data controller. This in turn would cause the Spanish data protection laws to apply. This is because the EU subsidiary would be acting as a 'bridge' for the search engine function based outside the EU to that member state's advertising market.

This is a remarkable position, as it seems to suggest that Google can qualify as a data controller, to ensure the application of the relevant data protection laws, whilst also subsequently acting as a data processor for those same activities.

Facebook v the Schleswig-Holstein data protection authority

The opinion of Jääskinen in the Google case is at odds with what the data protection watchdog in the German state of Schleswig-Holstein ruled in a case involving Facebook.

In that case, the Schleswig-Holstein data protection authority challenged a Facebook policy that requires users to register using their real names and which allows the social networking company to block individuals who do not adhere to this policy. The local German watchdog ordered Facebook to allow users to use pseudonymised data and claimed that forcing people to use their real names breached German data protection laws.

Facebook challenged this decision, claiming that Irish and not German data protection rules applied to its activity. This was because Facebook's Irish, rather than its German-based entity which it argued only undertook advertising and marketing functions, was the relevant data controller of the social networking service, it said.

In April of last year, the Schleswig-Holstein Administrative Court of Appeals ruled in Facebook's favour. It said that German data protection laws did not apply to Facebook's activities in Ireland, and forced the Schleswig-Holstein to withdraw its order forcing Facebook to facilitate users who signed up using anonymised or pseudonymised details.

The contradiction

If the approach of the Schleswig-Holstein court had been taken in the Google Spain case, Google's Spanish subsidiary would have been precluded from having to comply with the Spanish data protection law, as it – like Facebook's German entity – only undertook an advertising and marketing function.

After the Facebook case, it appeared that non-EU companies with a European subsidiary that is processing, collecting or using data through a subsidiary in an EU territory were not subject to the EU data protection rules in EU territories other than the one in which the subsidiary responsible for personal data processing is based. In such cases, if no EU based subsidiary acted as a data controller, the non-EU data controller would not have to comply with the EU data protection rules.

If this were so, it would have allowed parent companies to 'forum shop' and establish a 'data controller' subsidiary in EU countries where data protection laws are more liberal or enforced less stringently.

However, the opinion of Advocate General Jääskinen in the Google Spain case raises doubts about this. If that opinion is followed by the CJEU, companies such as Facebook and Google will need to be aware that the group's activities as a whole will be taken into consideration when determining which data protection laws apply, regardless of what activities each EU entity is carrying out. This seems to align with the efforts the EU data protection authorities have been making lately to subject a number of US-based multinational internet service providers to EU data protection rules.

A solution on the horizon?

Part of the problem in the EU at the moment is the fragmented way in which the existing Data Protection Directive is applied across each of the 28 member states.

However, a proposed new EU Data Protection Regulation has been outlined and, if introduced, would help standardise data protection laws and their enforcement across the trading bloc. This is because a Regulation is applicable in all EU countries and does not need to be transposed into national laws before becoming enforceable. A Directive, however, leaves member states more leeway when implementing its provisions.

The new Regulation would, it is proposed, apply if the data controller, and/or processor are based in the EU, or if the processing relates to EU based data subjects in relation to goods or services offered to those data subject, or if they are monitored by the data controller. This is a very important change for non-EU based companies.

The forthcoming data protection reforms, on paper at least, look set to widen the scope of EU data protection rules and clarify the jurisdictional questions that the current Directive has posed.

However, whether data protection authorities will be able to enforce EU laws against companies based entirely outside of the trading bloc remains to be seen. The UK's Information Commissioner is just one of the stakeholders in the debate around the reforms to have voiced scepticism over the practicality of doing so.

Lore Leitner is a data protection law specialist at Pinsent Masons, the law firm behind Out-Law.com